| Name | ms15_102 |
| CVE | CVE-2015-2525 |
| Exploit Pack | CANVAS |
| Description | Windows Task Arbitrary File Deletion |
| Notes | Repeatability: Infinite Notes: This module exploits a vulnerability on the Task Scheduler Service (schedsvc.dll). When a scheduled task is created with the DeleteExpiredTaskAfter (https://msdn.microsoft.com/en-us/library/windows/desktop/aa381847(v=vs.85).aspx) property set, the Task Scheduler will wait that amount of time before deleting the task and its related file. The problem arises because the service deletes the file (through a DeleteFile call) on a callback thread running as local system. Therefore a junction attack can be mounted against the deletion process. Giving the attacker the primitive to delete any file on the system which local system can delete. References: https://technet.microsoft.com/en-us/library/security/ms15-102.aspx Tested on: Windows 8.1 Enterprise x86 Windows 7 Ultimate SP1 x86 Windows 7 Professional SP1 x64 VENDOR: Microsoft CVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2525 CVE Name: CVE-2015-2525 |
| Learn more about the CANVAS Exploit Pack here: CANVAS |